Passed OSCP on 2nd Attempt!

The preparation

I’ve been preparing this OSCP thing for almost 4 years. No, I am not kidding. This OSCP is a cultivation of all the knowledge you learn in IT/CS course. OSCP is golden standard when it comes to Penetration Testing that’s why I’m really eager to get this one. This is not the most insane technical exam, but I could say it’s close to insane. Most topics you need to be aware prior on taking OSCP are the following but not limited to: Networking, Basic Programming, OS Fundamentals, Web and Application fundamentals, Basic Researching, CyberSecurity methodologies and frameworks and the Art of Being Persistent.

You need to at least know basic networking, so you know how tunnels work, how machine communicates on different protocols, and a lot more! You will also need to understand networking so you can pivot your paths deep on the network you are penetrating. Having a strong background in networking can definitely help you!

You will also need to know Basic Programming. There are times that you want to automate a certain workload than having it doing manual to save time. Having programming on your skill set also strengthen the ability to read code and find probable errors/vulnerability on applications.

OS Fundamentals! Yes, this is important part of your skillset! You need to know the environment of the machines you are attacking. Sometimes, OS are vulnerable to kernel exploits, especially the old and unpatched OS. It’s also important on your skillset so you can quickly navigate through the machine. You need to at least know basic bash and powershell commands!

Web and Application fundamentals, you need to at least understand how web and application behaves. Most often, you need to find a vulnerability on applications so you can gain a foothold on the machine you are attacking.

Basic Researching, this is needed so you know what to search on the search engines, what to look for and what are the part of puzzles you need to find. Think of it like, the internet is a large haystack, and you need to search for a something that you don’t exactly know. You must have a strong critical thinking to find what you exactly need.

CyberSecurity methodologies and frameworks. These are basic concepts in security, like defense-in-depth, zero trust, and a lot more. These concepts can be usually used as opposite when playing in attacker or read team. Once you know he weakness of the network / machines, it’s easy to navigate through.

Art of Being Persistent. This is the willingness to go over and over, trying harder, and not giving up easily! You need to be persistent! You need to have the patience to sit for almost 12 hours a day just to solve a single problem! As OffSec says: “TRY HARDER!”

Before I took OSCP, I went to HTB first. I already talked about HTB on my past article, you can check it here: http://mark.rxmsolutions.com/oscp-a-little-update/.
Basically, I took HTB academy modules first because HTB offers lifetime access to their learning modules. In this way, you can grasp the feeling on how you can effectively use the tools. When you enroll to OSCP, you are only given 90 days to work out the activities and labs, and their pricing is not a joke, so you need to be prepared before jumping in!

Also, as part of my preparation, I also finished boxes as indicated in these link: https://hackersinterview.com/oscp/oscp-like-machines-in-htb-vulnhub-tryhackme/.
They said that these boxes are OSCP-like boxes, so I went for it.

The Fall

So when I finished the activities and secured my bonus points for the OSCP Exam, I feel like I’m confident to jump on the exam.

I booked my OSCP exam. It was a 24-hour proctored exam.
To know more about the exam, check this link: https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide

During the exam, I was caught in the rabbit holes! I was focusing my energy on the wrong paths.
I cannot discuss anymore regarding the exam content. But my mistake was I’m making things complicated in my head.

I was awake 24 hours trying to pwn machines, but in the end, my scores wasn’t enough to pass my first attempt.

I failed.

The Rise

I went look back to learn what are my mistakes. I did a lot of readings, and practiced more.
And then I booked again for 2nd attempt!

On my 2nd attempt, when I attained the minimum passing score, I feel relieved!
But I still have a few hours left, so I did “TRY HARDER!”.
I stayed awake for almost 19 hours, and rested only for 5 hours.
I didn’t pwnd all machines, but my score is above the minimum 70 points.

After that 24 hour long exam, it feels like a hazing!
But it’s not over yet!
I have to make a report on my findings.
The report submission has 24 hour window.
I composed my report, checked everything, and submitted!

OSCP EXAM REPORT

My report was 35 pages. I included the step-by-step procedure on compromising the targets, and also a lot of screenshot!

After a few days, I received an email from OffSec. I was really anxious while reading the email.
And suddenly my heart skipped a beat!

I passed!

OffSec Certified Professional

For the Future Exam Takers

I will strongly advice to make things not complicated. Try simple solutions first.
I’ll also advice to take a lot of sleep before taking the exam. It’s a 24-hour long exam. You will probably be awake for the next 24 hours.
Second to the last advice I can give is to prepare a lot of foods and water, especially the foods that you can gain a lot of energy. Stay hydrated!.
And my important advice is to, always take a break! Have a lot of window to get rest!

What now?

I also finished the HTB Prolab’s Dante and HTB Prolab’s Offshore!
I’m practicing in the Prolabs because I’m planning to take CPTS soon, but I think I will take it after few more months from now as my focus will be shifted to my other life priorities.

Dante
Offshore

Above all, this wouldn’t be possible without the support of my partner.
I will always love you Ruffa! Thank you for the non-stop support!

Thank you so much for reading this guys!
More writeups to come soon!

Why so trusting?

Quick Context: Okay, so recently, we come across some fancy NFT project wherein “Students” are invited to join “Quizzes” and “Projects” to “Graduate”.

A “Graduate” means whitelisted for the mint of the NFT collection.

Our Goal

Our goal is to get into the top leaderboard so we can ensure our whitelist slot. And we want this by all means, so we use our hacker instinct to get advantage on the quiz.

However, we wouldn’t wanna overkill the contest. We didn’t spawn bots to automatically answer the quizzes (which is easy to do), so we just sticked with our bare hands, manually answering the quizzes. And we just stick to one-to-one account to human. We don’t want to disrupt the experience of other people.

The quiz

The quiz is a client sided web app. Meaning, all of the password for the quiz and questions are given to client without levels of authorization. Below are the steps of our reconnaissance and enumeration to extract the password and the set of question for a quiz.

Cracking the Password

Every quiz has different password. And our goal is to crack the password before the quiz starts (hours before the quiz so we have the chance to crack it).

Upon logging-in and browsing to /quiz page, we could see a web api requests. We can see that a request has a response that includes juicy information. We saw a json response that includes quiz details and we write down the _id and the password to our notes.

$2a$10$msFPZnG.NKHaCcVupGsQyuvpB8IwtZ7v3UxPBwf3fXe8hGdCMEwsu

The password is a bcrypt hash.

The first thing we did was to list all possible passwords and try to compare them against the hash.
But sadly, we didn’t got any “possible password” correct.

What is Bcrypt?

The input to the bcrypt function is the password string (up to 72 bytes), a numeric cost, and a 16-byte (128-bit) salt value. The salt is typically a random value. The bcrypt function uses these inputs to compute a 24-byte (192-bit) hash. The final output of the bcrypt function is a string of the form:

$2<a/b/x/y>$[cost]$[22 character salt][31 character hash]

For example, with input password abc123xyz, cost 12, and a random salt, the output of bcrypt is the string

$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW
\__/\/ \____________________/\_____________________________/
Alg Cost      Salt                        Hash

Where:

  • $2a$: The hash algorithm identifier (bcrypt)
  • 12: Input cost (212 i.e. 4096 rounds)
  • R9h/cIPz0gi.URNNX3kh2O: A base-64 encoding of the input salt
  • PST9/PgBkqquzi.Ss7KIUgO2t0jWMUW: A base-64 encoding of the first 23 bytes of the computed 24 byte hash

The base-64 encoding in bcrypt uses the table ./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789,[9] which is different than RFC 4648 Base64 encoding.

Back to our discussion

So now we know the basics of bcrypt, we could now start attacking the password hash.

Well, luckily, we got a tool named hashcat.
Without having any more ideas about the password, we can now use the bruteforce technique.
We also know that the password only contains numbers.
So we could go bruteforce increment from ZERO until 10^n. Where n is the number of digits.

hashcat.exe -a 3 -m 3200 --increment --increment-min 1 --increment-max 8 $2a$10$msFPZnG.NKHaCcVupGsQyuvpB8IwtZ7v3UxPBwf3fXe8hGdCMEwsu ?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d

Here, we tell hashcat that our attack mode is Brute-force (-a 3), increment each password iteration (–increment), start from 1 digit (–increment-min 1), end the iteration with maximum of 8 digit (–increment-max 8), password hash that we found earlier ($2a$10$msFPZnG.NKHaCcVupGsQyuvpB8IwtZ7v3UxPBwf3fXe8hGdCMEwsu) and the pattern that we want our hashcat to follow (?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d?d).

To know more about hashcat, check this out: https://hashcat.net/wiki/doku.php?id=hashcat

And after some couple of minutes, we cracked the hash!

It took only 8 minutes for my GTX1050 to crack a 5-digit password. But it would definitely lasts more longer if the password was longer than 5-digit.
Luckily, the password for this quiz is shorter than the first set of quizzes so we are able to bruteforce this in a very small amount of time.

Extracting Questions

We found a page where we can browse the quiz. We just enter the password that we found for this quiz.

The web app then make a request to the web api and we could see a juicy information here that includes the quiz questionnaires (testData).

We just parse the testData. And boom! Successfully extracted the PASSWORD and the QUESTIONS.

Conclusion

I understand the intention of the developer that they don’t want the participants kinda “DDoS” their servers by having a lot of authentication and authorization though their servers. They just give all their password and quiz data to the client because they want the validation to be on client’s side and not having loads to their server.

The web app’s architecture, does not really abide the Zero Trust Security because they just make the client’s authorized themselves and “trusts” them without proper validation.

Thanks for reading this short writeup!
I hope you enjoy and see you on my next writeup!